Standing administrative privileges remain one of the most exploited weaknesses in cloud identity environments. When an account holds a permanent Global Administrator or Exchange Administrator role, that privilege is available to an attacker at any moment the credential is compromised, whether through phishing, token theft, or session hijacking. For organisations in WA Government and financial services, this standing exposure sits directly at odds with audit expectations for least-privilege administration.
The Essential Eight mitigation strategy for restricting administrative privileges calls for privileges to be validated, limited to the tasks required, and revoked when no longer needed. Microsoft Entra Privileged Identity Management (PIM) provides a native pattern for applying these principles to Microsoft 365, replacing permanent role assignments with time-bound, approved, and audited activation.
Persistent administrative roles create three distinct issues. First, they widen the attack surface continuously rather than only during genuine administrative work. Second, they make it difficult to demonstrate to an auditor who held which privilege at a given point in time. Third, they encourage role sprawl, where accounts accumulate high-privilege assignments that are rarely reviewed and seldom removed.
A least-privilege model addresses all three by making elevated access the exception rather than the default state. Administrators hold no active privilege until they need it, request it, and have that request approved.
PIM introduces the concept of an eligible assignment. Rather than being permanently active in a role such as User Administrator or Security Administrator, an account is made eligible for it. The privilege remains dormant until the administrator activates it for a defined window, after which it lapses automatically.
Activation can be shaped by several controls that map cleanly to Essential Eight expectations:
This model means that even if an eligible account is compromised, the attacker inherits no active administrative privilege. They would additionally need to satisfy MFA, provide justification, and in many configurations wait for human approval.
Time-bound activation controls day-to-day privilege use, but eligibility itself must also be governed. Access reviews allow an organisation to recertify who remains eligible for each privileged role on a recurring schedule. Reviewers confirm whether continued eligibility is justified, and assignments that are no longer required are removed.
For regulated organisations, this recurring recertification produces exactly the evidence auditors expect. It demonstrates that privileged access is not simply granted and forgotten, but is examined, attested, and pruned on a defined cadence.
Adopting PIM is best treated as a staged programme rather than a single switch. A workable sequence is as follows:
Break-glass planning deserves particular attention. Emergency access accounts should be excluded from policies that could prevent sign-in during an outage, held under strict physical and procedural control, and alerted on whenever used.
PIM produces detailed logs of eligibility changes, activations, approvals, and review outcomes. These records allow an organisation to answer the questions auditors most frequently ask about administrative privilege: who could act as an administrator, when they actually did, why, and who authorised it. Delivered through a Microsoft-native capability, this pattern gives WA Government and financial services organisations a concrete, defensible route to the least-privilege posture the Essential Eight requires.

Level 7, 12 St Georges Tce
Perth WA 6000
[email protected]
Ph 1300 NOVATA

In the spirit of reconciliation Novata Solutions acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today. This land always was, and always will be Aboriginal Land.

Novata Solutions is committed to embracing diversity and eliminating all forms of discrimination through education. We welcomes all people and is respectful of individual identities.